Scammers, hackers and spies hit trail

Political campaigns are hotbeds of criminal activity and mischief — just not in the way you think.

The fly-by-night, pressure-cooker and skinflint environment of political campaigns makes them uniquely vulnerable to hackers, criminals and ideological foes, campaign operatives and cybersecurity experts say.

Story Continued Below

At the same time, a top-notch data mining operation is essential to modern political operations, and candidates and parties are collecting and keeping more personal information on every voter than ever before.

Recent years have seen more and more mischief in cyber-campaign land. Data breaches and misplaced donor or voter information can fall into the wrong hands. Foreign intelligence services have reportedly found their way into campaign servers. Hackers looking to embarrass politicians have altered campaign websites. And credit card scammers have found that making small donations are a great way to test stolen MasterCard and Visa numbers.

”If the U.S. government, the Chamber of Commerce, Target and others who presumably spend millions or even billions on cybersecurity measures still have to contend with security breaches, hacks and so on every so often, it really shouldn’t surprise anyone to know that political campaigns are vulnerable to exactly the same kind of threat,” said Liz Mair, a digital consultant and former online communications director at the Republican National Committee.

But given campaigns aren’t built for the long-haul and the focus is on winning, security takes a back seat.

“The lack of appropriate cybersecurity measures may be because some consultants just don’t prioritize it when they’re facing the hard deadline of election day and the only real objectives are robust fundraising and supporter engagement,” Mair said. And digital experts may only be concerned about making their security systems — and their contracts — last to Election Day — she added, leaving them vulnerable once the campaigns are over.

But Scott Goodstein, the CEO of the digital firm Revolution Messaging and a former digital staffer on Obama’s 2008 campaign, said the digital world is simply a new wrinkle on an old problem. “Campaigns have always had the problem of data security,” he said.

A volunteer could come in the front door and take your research binder, Goodstein suggested. Confidential documents or donor information written on paper frequently get left behind. Unscrupulous volunteers could easily steal credit card information — even when it’s written on paper.

“Security is not just a let’s-blame-the-Internet problem,” Goodstein said.

The biggest known personal data breach in politics came in 2009, when the organization Wikileaks posted credit card information from 4,700 of Norm Coleman’s online donors. At the time, Coleman was battling Al Franken in a tight recount and was seeking donations to keep the legal battle alive, but his campaign had to instead call for donors to cancel their credit cards.

Several campaigns or vendors have also inadvertently exposed user or voter information — from personal home addresses to credit card data.

In late May, some campaigns using of NationBuilder, a political web hosting platform, inadvertently exposed information like the home address and phone number of the supporters of candidate to anyone who had the supporter’s email address, the Calgary Herald first reported.

But screenshots provided by a digital operative show that the same problem affected several U.S.-based websites using the NationBuilder platform.

NationBuilder closed the loophole, saying in a blogpost: “We have decided not to support the previous functionality, and we apologize if you were relying upon that.”

The company declined to talk further about user privacy or data security.

Consultants say that most campaigns are aware of their vulnerabilities — even if they don’t always have the resources they wish they could dedicate to security. “Whether you’re a first-time challenger or a long-term incumbent, you sort of realize that this is the new reality and you need to be up to speed on it,” said Democratic consultant Taryn Rosenkranz, founder & CEO of New Blue Interactive.

CREDIT CARD SCAMMERS

Political campaigns at all levels have emerged as a useful tool for credit card scammers.

When credit card information is stolen, it’s often packaged and sold in bulk with dozens or hundreds of other stolen cards numbers. Those sellers and buyers need a way to test if the victim is aware of the theft and has taken steps to deactivated the card. Enter political campaigns.

Unlike using a commercial service, no shipping address needs to be entered and no goods need to change hands in a donation to a political candidate. Thieves simply give a small donation of a few dollars as a test to see if a consumer has reported the card as stole.

This isn’t the fault of campaigns (which eventually must refund the fraudulent donations after a consumer realizes his or her credit card has been compromised). The problem is widespread and an open secret in tech politics circles yet largely unreported. In one of the only instances of the scam becoming a public embarrassment, Chris Murphy’s Senate campaign acknowledged that its donation system was used to test stolen cards in 2012.

The root of the problem is that political campaigns are often much less discerning about accepting credit cards than the private sector.